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Abstract. Craig interpolation has emerged as an effective means of gen- 
erating candidate program invariants. We present interpolation proce- 
dures for the theories of Presburger arithmetic combined with (i) uninter- 
preted predicates (QPA+UP), (ii) uninterpreted functions (QPA+UF) 
and (iii) extensional arrays (QPA+AR). We prove that none of these 
combinations can be effectively interpolated without the use of quanti- 
fiers, even if the input formulae are quantifier-free. We go on to identify 
fragments of QPA+UP and QPA+UF with restricted forms of guarded 
quantification that are closed under interpolation. Formulae in these frag- 
ments can easily be mapped to quantifier-free expressions with integer 
division. For QPA+AR, we formulate a sound interpolation procedure 
that potentially produces interpolants with unrestricted quantifiers. 

1 Introduction 

Given two first-order logic formulae A and C such that A implies C, written 
A => C, Craig interpolation determines a formula / such that the implica- 
tions A^> I and / =+ C hold, and / contains only non-logical symbols occurring 
in both A and C [2]. Interpolation has emerged as a practical approximation 
method in computing and has found many uses in formal verification, ranging 
from efficient image computations in SAT-based model checking, to computing 
candidate invariants in automated program analysis. 

In software verification, interpolation is applied to formulae encoding the 
transition relation of a model underlying the program. In order to support a 
wide variety of programming language constructs, much effort has been invested 
in the design of algorithms that compute interpolants for formulae of various 
first-order theories. For example, interpolating integer arithmetic solvers have 
been reported for fragments such as difference-bound logic, linear equalities, 
and constant-divisibility predicates. 

The goal of this paper is an interpolation procedure that is instrumental in 
analysing programs manipulating integer variables. We therefore consider the 
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first-order theory of quantified Presburger arithmetic (quantified linear integer 
arithmetic), denoted QPA. Combined with uninterpreted predicates (UP) and 
uninterpreted functions (UF), this allows us to encode the theory of extensional 
arrays (AR), using uninterpreted function symbols for read and write operations. 
Our interpolation procedure extracts an interpolant directly from a proof of 
A => C. Starting from a sound and complete proof system based on a sequent 
calculus, the proof rules are extended by labelled formulae and annotations that 
reduce, at the root of a closed proof, to interpolants. In earlier work, we presented 
a similar procedure for quantifier- free Presburger arithmetic [3] . 

In program verification, an interpolating theorem prover often interacts tight- 
ly with various decision procedures. It is therefore advantageous for the inter- 
polants computed by the prover to be expressible in simple logic fragments. Un- 
fortunately, interpolation procedures for expressive first-order fragments, such 
as integer arithmetic with uninterpreted predicates, often generate interpolants 
with quantifiers, which makes subsequent calls to decision procedures involving 
these interpolants expensive. This is not by accident. In fact, in this paper we 
first show that interpolation of QPA+UP in general requires the use of quanti- 
fiers, even if the input formulae are themselves free of quantifiers. 

In order to solve this problem, we study fragments of QPA+UP that are 
closed under interpolation: fragments such that interpolants for input formulae 
can again be expressed in the theory. By the result above, such fragments must 
allow at least a limited form of quantification. Our second contribution is to 
show that the theory PAID+UP of Presburger arithmetic with uninterpreted 
predicates and a restricted form of guarded quantifiers indeed has the closure 
property. A similar fragment, PAID+UF, can be identified for the combination 
of Presburger arithmetic with uninterpreted functions. Moreover, by allowing 
integer divisibility (ID) predicates, the guarded quantifiers can be rewritten into 
quantifier- free form, facilitating further processing of the interpolants. 

In summary, we present in this paper an interpolating calculus for the first- 
order theory of Presburger arithmetic and uninterpreted predicates, QPA+UP. 
We show that, for some quantifier-free input formulae, quantifiers in interpolants 
cannot be avoided, and suggest a restriction of QPA+UP that is closed under 
interpolation, yet permits quantifier-free interpolants conveniently expressible 
in standard logics. We extend these results to Presburger theories with uninter- 
preted functions and, specifically, to quantified array theory, resulting in the first 
sound interpolating decision procedure for Presburger arithmetic and arrays. 

2 Background 

2.1 Presburger Arithmetic with Predicates and Functions 

Presburger arithmetic. We assume familiarity with classical first-order logic 
(e.g., [4]). Let x range over an infinite set X of variables, c over an infinite 
set C of constants, p over a set P of uninterpreted predicates with fixed arity, 
/ over a set F of uninterpreted functions with fixed arity, and a over the set Z of 
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integers. (Note the distinction between constant symbols, such as c, and integer 
literals, such as 42.) The syntax of terms and formulae considered in this paper 
is defined by the following grammar: 

<j) ::= i = 0|i<0|a|t| p(t, . . . , t) | <j> A <j> | 4> V 4> | -«f> | | 3x.0 
t ::= a | c | x | erf H + at | /(f, . . . ,t) 

The symbol t denotes terms of linear arithmetic. Divisibility atoms a | t are 
equivalent to formulae 3s. as — t = 0, but are required for quantifier-free in- 
terpolation. Simultaneous substitution of a vector of terms t = (t\, . . . ,t n ) for 
variables x = (x\, . . . ,x n ) in <p is denoted by [x/t\(f>; we assume that variable 
capture is avoided by renaming bound variables as necessary. For simplicity, we 
sometimes write s = t as a shorthand of s — t = 0, and Vc.0 as a shorthand of 
Vx.[c/x]0 if c is a constant. The abbreviation true (false) stands for the equal- 
ity = (1 = 0), and the formula <j> — > V abbreviates ^(f> V Semantic notions 
such as structures, models, satisfiability, and validity are defined as is common 
over the universe Z of integers (e.g., [4]). 

Full quantified Presburger arithmetic (QPA) consists of the formulae that do 
not contain uninterpreted predicates or functions; (quantifier-free) Presburger 
arithmetic (PA) is the quantifier-free fragment of QPA. The logic QPA+UP 
(QPA+UF) extends QPA to formulae with uninterpreted predicates (functions), 
according to the above grammar. 

2.2 An Interpolating Sequent Calculus 

Interpolating sequents. To extract interpolants from unsatisfiability proofs of 
A A B, formulae are labelled either with the letter L ("left") to indicate that 
they are derived from A or with R ("right") for formulae derived from B (as 
in [3]). More formally, if is a formula without free variables, then [4>\l and 
[4>\r are L/i?-labelled formulae. If r, A are finite sets of labelled formulae 
and / is an unlabelled formula without free variables, then r h A ► / is an 
interpolating sequent. Similarly, if r, A are sets of unlabelled formulae without 
free variables, then r h A is an (ordinary) sequent. An ordinary sequent is valid 
if the formula f\ r — > V A is valid. 

The semantics of interpolating sequents is defined using the projections 
r L =dcf {<t> | [<P\l € T} and r R = de f {4> \ |>J.r e r}, which extract the L/R- 
parts of a set r of labelled formulae. A sequent r h A ► I is valid if (i) the 
sequent h is valid, (ii) the sequent Fr, J h Zi^ is valid, and (iii) the 

constants and uninterpreted predicate/functions in 7 occur in both P L U and 
Pft UzA/j. As special cases, ^ L^J-R ►/ reduces to I being an interpolant 

of the implication A ^> C, while [^Jl, L-^Jfl F ► 7 captures the concept of 
interpolants for unsatisfiable conjunctions A A B common in formal verification. 

Interpolating sequent calculi. An interpolating rule is a binary relation between 
a finite set of interpolating sequents, called the premises, and a sequent called 
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r, [_4>\l \- a ► / r, [_4>\r \- a>i 

r, LVJi i- a ► J r, LVJfl ^ z\ ► j 



OR-LEFT-L : : OR-LEFT-R 

r, L0 v i/>j l h zi ► / v J r, L0vvjfl^/i^/AJ 

r, l^Jd.LV'Jc i- a ►/ r h L0Jd,^ ►/ 

— — — ; — AND-LEFT : ; NOT-LEFT 

r, [_4>Ai>\ D h a ►/ r, l-^Jc i- a ►/ 

CLOSE-LL ■ ■ CLOSE-RR 



r, L0J I- L0Ji,-^ ►/a/se r, [4>\r h L0Jfl,-4 ►tree 

CLOSE-LR : : ; ^- CLOSE-RL 



r,[<p\ L h [<p\ R ,A + r, W R h L0Jl,^ ► 



r,[[x/^,[Vx.0J L h Z\ ►/ ALL _ r,L[a;/t]0Jfl,LV3;.0Jfl h Z\ ► I ALL _ 

r^Va.^Jz, h A ►Vflt / LEFT-L T, LV^.^Jfi h Z\ ► 3 Li J LEFT-R. 

r,[[x/cWn \- a>i EX _ r h L[^/ c ]0j o ,z\ ►/ ALL _ 

r, L3x.</>Jd h z\ ►/ LEFT r h lvx.0Jd,/\ ►/ RIGHT 

Fig. 1. The upper box presents a selection of interpolating rules for propositional logic, 
while the lower box shows the interpolating rules to handle quantifiers. Parameter D 
stands for either L or 7?. The quantifier Vijt denotes universal quantification over all 
constants occurring in t but not in r L U A L ; likewise, 3 Lt denotes existential quantifi- 
cation over all constants occurring in t but not in Fr U Ar. In the rules ex-left and 
all-right, c is a constant that does not occur in the conclusion. 



the conclusion: 

A h Ax >h ■■■ r n h A n ►/„ 
r h a ► i 

An interpolating rule is sound if, for all instances whose premises I\ h zii ► 7i, 
. . . , r n h A n ► /„ are valid, the conclusion _T h A ► I is valid, too. Fig. 1 
presents a selection of interpolating rules (used throughout the paper) for pred- 
icate logic. An exhaustive list of rules is given in Appendix A (Fig. 4) and in 
[3]. 

Interpolating proofs are trees growing upwards, in which each node is labelled 
with an interpolating sequent, and each non-leaf node is related to the nodc(s) 
directly above it through an instance of a calculus rule. A proof is closed if it is 
finite and all leaves are justified by an instance of a rule without premises. 

To construct a proof for an interpolation problem, we build a proof tree 
starting from the root r h A ► I with unknown interpolant I, i.e., I acts as 
a place holder. For example, to solve an interpolation problem A A B, we start 
with the sequent [A\ L , \_B\ R h ► I. Rules are then applied successively to 
decompose and simplify the sequent. Once all branches are closed, i.e., a proof is 
found, an interpolant can be extracted from the proof. Starting from the leaves, 
intermediate interpolants are computed and propagated back to the root leading 
to an interpolant I. An example of this procedure is given in the next section. 
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3 Interpolation for Uninterpreted Predicates 



3.1 Presburger Arithmetic and Uninterpreted Predicates 

We begin by studying the interpolation problem for Presburger arithmetic ex- 
tended with uninterpreted predicates (QPA+UP), which forms a simple yet ex- 
pressive base logic in which functions and arrays can be elegantly encoded. The 
case of predicates is instructive, since essentially the same phenomena occur 
under interpolation as with uninterpreted functions. 

Example 1. We illustrate the construction of an interpolating proof by deriv- 
ing an interpolant for A => C, with A = (^p(c) V p(d)) Ap(c) and C = p(d) . 
A complete interpolating proof of this implication looks as follows: 



Vp(c)\l H \p(d)\ R , Vp(c)\ L ► false 



;,[p(c)]l H [p(d)] R ► false [p(d)i l , Lp( c )J l H [p(d)] R ► p(d) 

OR-LEFT-L 

L-p(c) Vp(d)\ L , Vp(c)\ L h [p(d)\ R ► false V p(d) 

AND- LEFT 



lhp(c) Vp(d)) Ap(c)} L h [p(d)] R ► false V p(d) 



The shaded regions indicate the parts of the formula being matched against 
the rules in Fig. 1. The sequent |_(p(c) V p(d)) A p(c)\ l b Yp{d)\R ► / is the 
root of the proof, where / = false V p(d) has been filled in once the proof 
was closed. The AND-LEFT rule propagates the L-label to the subformulae of 
the antecedent of the first sequent. By applying OR-left-l to the disjunction 
p(c) V p(d), the proof splits into two branches. The right branch can immediately 
be closed using CLOSE-lr. The left branch requires an application of not-left 
before it can be closed with CLOSE-ll. We compute an interpolant by propa- 
gating (intermediate) interpolants from the leaves back to root of the proof. As 
specified by CLOSE-LR, the interpolant of the right branch is p(d). On the left 
branch, the CLOSE-ll rule yields the interpolant false, which is carried through 
by not-left. The rule OR-left-l takes the interpolants of its two subproofs 
and generates false V p{d). This is the final interpolant, since the last rule AND- 
left propagates interpolants without applying modifications. □ 

In this example, the arguments of occurrences of uninterpreted predicates 
literally matched up, which need not be the case. The rules presented so far 
are insufficient to prove more complex theorems, such as p{c) Ac = (!-> p(d), in 
which arithmetic and predicate calculus interact. To fully integrate uninterpreted 
predicates, we use an explicit predicate consistency axiom 

PC P = V5, y. ((p(x) A x - y = 0) -+ p(y)) (1) 

which can be viewed as an L- or i?-labelled formula that is implicitly present 
in every sequent. The label L/R is chosen depending on whether p occurs in 
r L U A L , in r R \jA R , or in both. 

To make use of (1) in a proof, we need additional proof rules to instantiate 
quantifiers, which are given in the bottom part of Fig. 1. Formula (1) can be 
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instantiated with techniques similar to the e-matching in SMT solvers [5]: it 
suffices to generate a ground instance of (1) by applying ALL-left-l/r whenever 
literals p(s) and p(t) occur in the antecedent and succedent [19]: 

r,lp(s)\ Dl [(p(s) A s_-t = 0) -» p(t)\ L h lp(T)\ E ,A ►/ + 

r,Lp(5)J D h 4 ► V flsf J ~ ALL-LEFT-L 

where D, E {L, R} are arbitrary labels, and V^jj denotes universal quan- 
tification over all constants occurring in the terms s, i but not in the set of 
left formulae (r, [p(s)\d) L U (A, [p(F)\e) l (like in Fig. 1). Similarly, instances 
of (1) labelled with R can be generated using ALL-left-r. To improve efficiency, 
refinements can be formulated that drastically reduce the number of generated 
instances [7]. 

Correctness. The calculus consisting of the rules in Fig. 1, the arithmetic rules 
of [3], and axiom (1) generates correct interpolants. That is, whenever a sequent 
[A\ l F [C\ r ► J is derived, the implications A=> I and / =>■ C arc valid, and 
the constants and predicates in / occur in both A and C. More precisely: 

Lemma 2 (Soundness). If an interpolating QPA + UP sequent E h A ►/is 
provable in the calculus, then it is valid. 

In particular, the sequent Zj,, A? F Z\_l, Z\_r is valid in this case. As shown in [3], 
Lcm. 2 holds for the calculus consisting of the arithmetic and propositional rules. 
It is easy to see that the additional rules presented in this paper are sound, too. 

Concerning completeness, we observe that the logic of quantified Presburgcr 
arithmetic with predicates is TT-J-complete, which means that no complete calculi 
exist [8]. On the next pages, we therefore discuss how to restrict the quantifica- 
tion allowed in formulae to achieve completeness, while retaining the ability to 
extract interpolants from proofs. 



3.2 Quantifiers in QPA+UP Interpolants 

We first consider the quantifier- free fragment PA+UP. With the help of results 
in [19, 3], it is easy to see that our calculus is sound and complete for PA+UP, 
and can in fact be turned into a decision procedure. There is a caveat, however: 
although formulae in PA+UP are quantifier-free, generated interpolants may still 
contain quantifiers and thus lie outside of PA+UP. The source of quantifiers are 
the rules ALL-left-l/r in Fig. 1, which can be used to instantiate L/i?-labelled 
quantified formulae with terms containing alien symbols. Such symbols have 
to be eliminated from resulting interpolants through quantifiers. The following 
example illustrates this situation. 

Example 3. Fig. 2 shows the derivation of an interpolant for the unsatisfiable 
conjunction (2c — y = A p(c)) A (2c? — y = A ->p(d)) . After propositional re- 
ductions, we instantiate PC P with the predicate arguments c and d, due to the 
occurrences of the literals p(c) and p(d) in the sequent. The proof can then be 
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* 



, . . . ► y - 2d f. 



~D 



I" Lp(c)J l ► false 



L(p(c) Ac-d = 0)- 


>v(d)\ L H ... 


► 2/ - 2d ^ V p(d) 






- 1 y = 0j L ,L2d 


-a^oji, h LpWJk 


► / 


L^CpJt, |PC p Jb, Lp(c)Ji., L2c- 


2/ = Oji, L2rf - 


y = OJr, hp(d)Jfl H 


► / 


|pc„Jz., |pc p Jb, LpWJi,, L2c 






► / 


[PC p \ L ,[PC p j R ,[2c-y = 


Ap(c)Ji, L2d- 


J/ = 0A-.p(d)J R h 


► / 



OR-LEFT-L^ 
ALL-LEFT-L 
NOT-LEFT 
AND-LEFT 
AND-LEFT 



Fig. 2. Example proof involving uninterpreted predicates. 



closed using propositional rules, complementary literals, and arithmetic reason- 
ing [3]. The final interpolant is the formula I = Vx. (y — 2x ^ V p(x)), in which 
a quantifier has been introduced via ALL-left-l to eliminate the constant d. □ 

In fact, as we formally prove in Appendix B, quantifier- free interpolants for the 
inconsistent PA+UP formulae 2c — y = A p(c) and 2d — y = A ->p{d) do not 
exist. Abstracting from this example, we obtain: 

Theorem 4. PA + UP is not closed under interpolation. 

Intuitively, Theorem 4 holds because the logic PA does not provide an inte- 
ger division operator. Divisibility predicates a \ t are insufficient in the pres- 
ence of uninterpreted predicates, because they cannot be used within terms: no 
quantifier- free formula can express the statement Vx. (y — 2x ^ V p{x)), which 
is equivalent to 2 | y — > 

Adding integer division is sufficient to close PA+UP under interpolation. 
More formally, we define the logic PAID ("PA with Integer Divisibility"), ex- 
tending PA by guarded quantified expressions 

Vx. (ax + tj^ OV0), 3x. (ax + 1 = A <f>) (2) 

where x & X ranges over variables, a e N \ {0} over non-zero integers, t over 
terms not containing x, and <j> over PAID formulae (possibly containing a; as a free 
variable). The logic PAID+UP is obtained by adding uninterpreted predicates 
to PAID. Note that the interpolant / computed in Example 3 is in PAID+UP. 

It is easy to extend our interpolating calculus to a sound and complete cal- 
culus for PAID+UP; the only necessary additional rules are 

r, I (a { t) V 3x. (ax + 1 = A 6)\ D h A ► I 

— ; — ■ ALL-LEFT-GRD 

r, [Vx. (ax + 1£ V <t>)\ D h A ► J 
r h I (a I t) A Vx. (ax + 1 £ V 6)\ D , A ► J 

; EX-RIGHT-GRD 

r h [3x. (ax + t = 0A<t>)\ D ,A ► I 
with the side conditions that a^O, and that x does not occur in t. 
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Theorem 5 (Completeness). Suppose r,A are sets of labelled PAID+UP 
formulae. If the sequent 7^,,/^ h A^,Aji is valid, then there is a formula I 
such that (i) the sequent r h A ► I is provable in the calculus of Sect. 3.1, 
enriched with the rules ALL-left-GRD and ex-right-GRD ; and (ii) I is a 
PAID+UP formula up to normalisation of guards to obtain expressions of the 
form (2). 

Guard normalisation is necessary in general, because interpolants generated by 
proofs can take the shape Vx. (ti ^ V • • • V tk + 1 V (f>), grouping together mul- 
tiple quantifiers and guards. We show in Appendix C.l that such formulae can 
effectively be transformed to the form (2). To prove the theorem, we first ar- 
gue that sequent proofs of a certain restricted form are guaranteed to result in 
PAID+UP interpolants, up to normalisation of guards: 

Lemma 6. Suppose that every instantiation of the axiom (1) in a proof V of 
the PAID+UP sequent r h A ► / has the form 



■■■Ap(s)\d H \s-t = 0\ F ,\p(T)\E,... ► -h 
Q 



h Lp(s)Jf,... ►Ji S ...,Lp(*)Jf h Lp(t)J El ... ► J 3 



where (i) D,E e {L, R} and F e {D,E} are arbitrary labels, (ii) the proof 
Q only uses the rules red-right, mul-right, ipi-right, AND-right-l, and 
CLOSE- eq-right applied to an equality derived from s — t = (see [3] or Ap- 
pendix A for definitions of the rules), and (Hi) ALL-LEFT and EX- RIGHT are 
not applied in any other places in V . Then I is a PAID+UP formula up to 
normalisation of guards. 

A proof of this lemma is contained in Appendix C.l. Intuitively, the conditions in 
the lemma enable the application of (1) to atoms p(s) and p(t) only if the equa- 
tions present in a sequent entail that the arguments s and i match up. There are 
various ways of relaxing this restriction: most importantly, the applications of 
axiom (1) only has to be constrained when unifying literals [p(s)\d and |p(^)J-E 
with distinct labels D ^ E. Applications of the axiom to literals with the same 
label are uncritical, because they never introduce quantifiers in interpolants. In 
fact, practical experience with our theorem prover Princess shows that gener- 
ated interpolants are often naturally in the PAID+UP fragment, even when not 
imposing any restrictions on the proof generation process. 

The second ingredient in proving the completeness theorem Thm. 5 is to 
show that the calculus with the restrictions imposed in Lem. 6 is still complete. 
We describe a proof procedure abiding by these restrictions in Appendix C.2. 
As a corollary of the completeness, we obtain: 

Corollary 7. PAID+UP is closed under interpolation. 
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Despite this closure property, some proofs may result in interpolants outside 
PAID+UP, by applying "wrong" rules in the sub-proof Q of Lem. 6: 

Example 8. Starting from PAID+UP input formulae, the following proof gener- 
ates the interpolant Vc.p(c), which is not equivalent to any PAID+UP formula: 



Lp(0)Jl H Lp(0)Ji *■ false [_q\ L h [c = Oj L , [q\ L ► false [p(c)\ L H [p(c)\ R ► p(c) 

•■•> Lp(o)Ji, [qIl, L(p(o) ac = o) ->p(c)jz, h |cJb, kU *-p( c ) 

ALL-LEFT-L 

IPCVU, |PC p Jh, Lp(0)Ji,, kU I" LpWJr, Ml ►Vc.p(c) 

The first step in the proof is to instantiate axiom (1), in an attempt to unify the 
formula [p(0)Jl an d Lp( c )J.Ri this instantiation later introduces the unguarded 
quantifier Vc in the interpolant. The proof violates the conditions in Lem. 6, 
because the middle sub-proof is closed using the atoms |_<zj l instead of the equa- 
tion [c = 0\l- A correct PAID+UP interpolant for this example is false. □ 

PAID and integer division. Despite the presence of guarded quantifiers, PAID 
is close to simple quantifier-free assertion languages found in programming lan- 
guages like Java or C, making PAID expressions convenient to pass on to decision 
procedures. Specifically, the following equivalences hold: 

\fx. {ax + t f V 4>) = (a \ t) V [x/(t + a)\<j>, {a\t) = a(t -f- a) = t 

where denotes integer division. Vice versa, an expression c = t -f- a can be 
encoded in PAID using axioms like ac < t A (t < ac + a V t < ac — a). 



4 Interpolation for Uninterpreted Functions 

4.1 A Relational Encoding of Uninterpreted Functions 

For practical verification and interpolation problems, uninterpreted functions 
are more common and often more important than uninterpreted predicates. In 
the context of interpolation, functions share many properties with predicates; 
in particular, the quantifier-free fragment PA+UF is again not closed under 
interpolation, in analogy to Theorem 4. 

Similar to the previous section, the interpolation property can be restored by 
adding means of integer division. To this end, we define the logic PAID+UF like 
PAID, but allowing arbitrary occurrences of uninterpreted functions in terms. 
For reasoning and interpolation purposes, we represent functions via an encod- 
ing into uninterpreted predicates. The resulting calculus strongly resembles the 
congruence closure approach used in SMT solvers (e.g., [5]). To formalise the 
encoding, we introduce a further logic, PAID+UF p . Recall that P and F denote 
the vocabularies of uninterpreted predicates and functions. We assume that a 
fresh (n + l)-ary uninterpreted predicate f p <G P exists for every n-ary unin- 
terpreted function / £ F. The logic PAID+UF p is then derived from PAID by 
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incorporating occurrences of predicates f p of the following form: 

3x. (f p (t 1 ,...,t n ,x)A0) (3) 

where x G X ranges over variables, t\, . . . , t n over terms that do not contain x, 
and <f> over PAID+UF p formulae (possibly containing x). In order to avoid uni- 
versal quantifiers, we do not allow expressions (3) underneath negations. 

Formulae in PAID+UF can uniformly be mapped to PAID+UF p by rewriting: 

4f(ti,..., t n )} - 3s. (f p {t 1 ,...,t n ,x)A<t>[x]) (4) 

provided that the terms t\,...,t n do not contain variables bound in <fi. To 
stay within PAID+UF p , application of the rule underneath negations has to 
be avoided, which can be done by transformation to negation normal form. We 
write <f>R e i for the function-free PAiD+UF p formula derived from a PAID+UF 
formula <j) by exhaustive application of (4). Vice versa, <f) can be obtained from 
4>Rei by applying (4) in the opposite direction. Assuming functional consistency, 
the formulae <j> and <f> Re i are satisfiability-equivalent: 

Lemma 9. Let FCf denote the functional consistency axiom: 3 

FC f = Vxi,x 2 ,2/i,2/ 2 - ({f P (xi,Vi) A f p ix 2 ,yi) A x x = x 2 ) -> 2/1=2/2) (5) 
A PAID+UF formula 4> is satisfiable exactly if <pRei A A/eF * s satisfiable. 

By the lemma, it is sufficient to construct a proof of -*((f>R e i A /\f eF FCf) in 
order to show that <j> is unsatisfiable. 4 The axioms FCf can be handled by 
ground instantiation, just like the predicate consistency axiom (1): whenever 
atoms f p (s~i,ti) and / p (s2,t2) occur in the antecedent of a sequent, an in- 
stance of FCf can be generated using the rules ALL-left-l/r and the substitu- 
tion [x\/si, x 2 /s2, yi /t\, 2/2/^2]- This form of instantiation is sufficient, because 
predicates f p only occur in positive positions in <j)R e i, and therefore only turn up 
in antecedents. As before, the number of required instances can be kept under 
control by formulating suitable refinements [7]. 

4.2 Interpolation for PAID+UF 

PAID+UF conjunctions A A B can be interpolated by constructing a proof of 

lA Re i\L,lB Rel \ R ,{lFCf\ L }f eFA ,{lFCf\ R } feFB h ►/ (6) 

where Fa/Fb are the uninterpreted functions occurring in A/B. Due to the 
soundness of the calculus, the existence of a proof guarantees that / is an 
intcrpolant. Vice versa, a completeness result corresponding to Thm. 5 also 
holds for PAID+UFp. Because PAID+UF p interpolants can be translated back 
to PAID+UF by virtue of (4), we also have a closure result: 

3 Axiom (5) can also be formulated as Vaii, j/i, j/2- (fp( x ,yi) A f p (x, 3/2) — > yi = 2/2), 
assuming the predicate consistency axiom (1). We chose (5) to avoid having to 
consider the auxiliary axiom (1) at this point, which simplifies presentation. 

4 Note that this formulation fails to work if arbitrary quantifiers are allowed in <fi; this 
case would require axioms for totality of functions as well. 
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|_Xl = X 2 \ L ' " 



■ • ■ , L(/p(Mi) A f p (c,y 2 ) A 6 = c) -> yi=y 2 jH H ►b=cAd=l 

(") 



•• ■, [fp(b, yi )\ R , [f P (c,y 2 )\ R , [FC f \ R , |xi = x 2 \l H ►6 = cAd = l 



La=lJ„ h \2 = a+l\ L ► a#l X) 

OR-LEFT-L+ 



.., L(/ P (2,x 1 )A/ p (a + l,x 2 )A2 = o + l) -> x 1 =x 2 j i h ► /_ 

— (0 



., [f p (2,x 1 )] L , [f p (a + l,x 2 )] L , [FC f \ L H ► 7i 



LA flel Jt, LBiieiJ-R, L^C/Ji, L^C/Jfl h ►/! 



AND-LEFT . EX-LEFT 



Fig. 3. Interpolating proof of Example 11. Parts of the proof concerned with arithmetic 
reasoning or application of the CLOSE-* rules are not shown. 



Theorem 10. The logic PAID+UF is closed under interpolation. 

Example 11. We consider the PAID+UF interpolation problem A A B with 

A = b = /(2) A f(a + 1) = c A d = 1, B = a = 1 A f(b) = /(c) + d . 

The corresponding PAID+UF p formulae are: 

A Re i = 3xi. (f p {2,xi) A 3x 2 . (f p (a + 1, a; 2 ) A b = x\ A x 2 = c A d = l)) 
B/m = 3j/i. (f p (b,yi) A3y 2 . (f p (c,y 2 ) Aa = lAy 1 =y 2 + d)) . 

The unsatisfiability of A Re i A Bn e i is proven in Fig. 3, requiring two applications 
of FCf. (i) for the pair f(2),f(a + 1), and (ii) for f(b),f(c). The resulting 
interpolant is I\ = a ^ 1 V (b = c A d = 1) and contains a disjunction due to 
splitting over an L-formula (i), and a conjunction due to (ii). □ 

As in Lem. 6, a sufficient condition for PAID+UF p interpolants can be given 
by restricting applications of the functional consistency axiom: 

Lemma 12. Suppose that every instantiation of an axiom FCf in a proof V of 
(6) has the form 



H [si = s 2 ] F , . . . ► J 3 ...,[ti=t 2 ] F h ... ► J 4 



n 



L/p(Si,ti)J D H L/ P (Si,«i)Jf *■ Ji VU(s2,t 2 )\ E h L/ P (s2,t 2 )j F ^.72 Q K 



L/ p (Si,*i)Jd, L/p(S 2 ,* 2 )Je I- 



ALL-LEFT + 



where (i) D,E £ {L,R} and F £ {D,E} are arbitrary labels, (ii) R £ {D,E} 
implies F = R, (Hi) the proof Q only uses the rules RED-RIGHT, MUL- RIGHT, IPI- 
right, AND-right-l, and CLOSE-EQ-RIGHT applied to an equality derived from 
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si = s 2 (see [3] or Appendix A), (iv) all-left and ex-right are not applied 
in any other places in V . Then I is a PAID+UF p formula up to normalisation 
of guards. 

Proofs of this shape closely correspond to the reasoning of congruence closure 
procedures (e.g., [5]): two terms/nodes /(s~i) and f{s 2 ) are collapsed only once 
the equations si = s 2 have been derived. Congruence closure can therefore be 
used to efficiently generate proofs satisfying the conditions of the lemma (ab- 
stracting from the additional reasoning necessary to handle the integers). 

As in Sect. 3.2, it is also possible to relax the conditions of the lemma; 
in particular, there is no need to restrict FCf applications with D = E. The 
resulting interpolation procedure is very flexible, in the sense that many different 
intcrpolants can be generated from essentially the same proof. Reordering FCf 
applications, for instance, changes the propositional structure of intcrpolants: 

Example 13. In Example 11, the interpolant I\ = a ^ 1 V (b = c A d = 1) is 
derived using two FCf applications (i) and (ii). Reordering the applications, so 
as to perform (ii) before (i), yields the interpolant I 2 = (a f 1 Vft = c) Arf = 1. 

□ 

4.3 Interpolation for the Theory of Extensional Arrays 

The first-order theory of arrays [9] is typically encoded using uninterpreted func- 
tion symbols select and store by means of the following axioms: 

Vx,y,z. select(store(x,y, z),y) = z (7) 
Vx,y 1 ,y 2 ,z. (2/1= y 2 V select(store(x,y 1 ,z),y 2 ) = select(x,y 2 )) (8) 

Intuitively, select(x, y) retrieves the element of array x stored at position y, 
while store(x, y, z) denotes the array that is identical to x, except that position y 
stores value z. The extensional theory of arrays additionally supports equalities 
between arrays and is encoded using the following axiom: 

Vxi,X2. (x\ = x 2 (Vy. select(xi,y) = select(x 2 ,y))) (9) 

The quantifier-free theory of arrays is again not closed under interpolation, 
even without arithmetic, as was already noted in [10, 11]. A classical example is 
given by the following inconsistent formulae: 

A= M' = store(M, a, d) 

B = b^c A select(M',b) f select (M,b) A select (M' , c) ^ select (M,c) , 
which only permit quantified interpolants, of the form 

Vj/i , 2/2 ■ (yi = yi V select(M,yi) = select(M' ,yi) V select(M,y2) = select(M' ,3/2))- 

Naturally, combining array theory with quantifier-free Presburger arithmetic 
only exacerbates the problem. As we have shown in previous sections, extend- 
ing PA+UP by guarded integer divisibility predicates results in a theory that is 
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closed under interpolation. We can extend this solution to the theory of arrays, 
but still only obtain closure under interpolation for small fragments of the logic 
(like for formulae that do not contain the store symbol). The resulting inter- 
polation procedure is similar in flavour to the procedures in [12, 13] and works 
by explicit instantiation of the array axioms. As in Sect. 3, axioms are handled 
lazily using the rules ALL-left-l/r, which introduce quantifiers in interpolants 
as needed. 

Array interpolation via relational encoding. To reduce array expressions to ex- 
pressions involving uninterpreted predicates, we use the same relational encoding 
as in Sect. 4. We first lift the axioms (7), (8), and (9) to the relational encoding: 

ARi = Vxi,X2,y, z\,Z2 ■ (store p (xi,y, z\,x 2 ) A select p (x2,y, z 2 ) -> z\ = z 2 ) 



As in the previous sections, these axioms can be used in proofs by ground in- 
stantiation based on literals that occur in antecedents of sequents; in the case 
of AR 3 , it is also necessary to perform instantiation based on equations oc- 
curring in the succedent. This yields an interpolating (though incomplete) cal- 
culus for the full logic QPA+AR, and an interpolating decision procedure for 
the combined theory PAID+AR of Presburger arithmetic with integer division 
and arrays. Interpolants expressed via the relational encodings of the functions 
select and store can be translated into interpolants over array expressions via 
re-substitution rules. 

Array properties. The array property fragment, introduced by Bradley et al. [14], 
comprises Presburger arithmetic and the theory of extensional arrays parame- 
terised by suitable element theories. In array property formulae, integer variables 
may be quantified universally, provided that the matrix of the resulting quan- 
tified formula is guarded by a Boolean combination of equalities and non-strict 
inequalities. Using such formulae, one can express properties like equality and 
sortedness of arrays, as they commonly occur in formulae extracted from pro- 
grams. Despite its expressiveness, satisfiability for this fragment was shown to 
be decidable by providing an effective decision procedure [14]. 

Although Bradley et al. did not consider interpolation for the theory of ar- 
ray properties, we observe that the decision procedure given in [14] can easily 
be made interpolating using the calculus for QPA+AR provided in this paper. 
The decision procedure proceeds by reducing, in a sequence of 5 steps, array 
property formulae to formulae in the combined theory of Presburger arithmetic 
with uninterpreted functions and the element theories. These 5 steps essentially 
correspond to instantiation of the array axioms and of quantified parts of the 
input formulae, which can be implemented using the interpolating rules provided 



AR 2 





Vy, Zi,z 2 - (select p (x 1 ,y, z{) A select p (x 2 , y, z 2 ) -> Z\ = z 2 ) 
-> x\ = x 2 
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in Fig. 1. The final step is a call to an interpolating decision procedure for Pres- 
burgcr arithmetic and uninterpreted functions combined with suitable element 
theories; we have presented such a procedure in this paper. 

We remark that the array property fragment is not subsumed by the re- 
striction of QPA+AR to Presburger arithmetic and array theory with guarded 
quantification as allowed in PAID+UF. 

5 Related Work and Conclusion 

Related work. Yorsh et al. [15] present a combination method to generate 
interpolants using interpolation procedures for individual theories. To be appli- 
cable, the method requires individual theories to be equality interpolating; this 
is neither the case for Presburger arithmetic nor for arrays. To the best of our 
knowledge, it is unknown whether quant iher- free Presburger arithmetic with the 
integer division operator is equality interpolating. 

Interpolation procedures for uninterpreted functions are given by McMil- 
lan [10] and Fuchs et al. [16]. The former approach uses an interpolating calcu- 
lus with rules for transitivity, congruence, etc.; the latter is based on congruence 
closure algorithms. Our calculus in Sect. 4 has similarities with [16], but is more 
flexible concerning the order in which congruence rules are applied. A more sys- 
tematic comparison is planned as future work, including estimating the cost of 
interpolating uninterpreted functions via a reduction to predicates, rather than 
via some direct procedure. The papers [10, 16] do not consider the combination 
with full Presburger arithmetic. 

Kapur et al. [11] present an interpolation method for arrays that works by 
reduction to the theory of uninterpreted functions. To some degree, the interpo- 
lation procedure of Sect. 4.3 can be considered as a lazy version of the procedure 
in [11], performing the reduction to uninterpreted functions only on demand. 

In [12], Jhala et al. define a split prover that computes quantifier-free inter- 
polants in a fragment of the theory of arrays, among others. The main objective 
of [12] is to derive interpolants in restricted languages, which makes it possible 
to guarantee convergence and a certain form of completeness in model checking. 
While our procedure is more general in that the full combined theory of PA 
with arrays can be handled, we consider it as important future work to integrate 
techniques to restrict interpolant languages into our procedure. 

McMillan provides a complete procedure to generate (potentially) quantified 
interpolants for the full theory of arrays [13] by means of explicit array axioms. 
Our interpolation method resembles McMillan's in that explicit array axioms are 
given to a theorem prover, but our procedure is also complete in combination 
with Presburger arithmetic. 

Bradley et al. introduce the concept of constrained universal quantification 
in array theory [14], which essentially allows a single universal array index quan- 
tifier, possibly restricted to an index subrange, e.g. all indices in some range 
[l,u]. Unlike full quantified array theory, satisfiability is decidable in Bradley's 
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fragment; interpolation is not considered in this work. We have discussed the 
relationship of this fragment to QPA+AR in Section 4.3. 

For a discussion of related work concerning interpolation in pure quantifier- 
free Presburger arithmetic, we refer the reader to [3]. 

Conclusion. We have presented interpolating calculi for the theories of Pres- 
burger arithmetic combined with uninterpreted predicates (QPA+UP), unin- 
terpreted functions (QPA+UF), and extensional arrays (QPA+AR). We have 
demonstrated that these extensions require the use of quantifiers in interpolants. 
Adding notions of guarded quantification, we therefore identified fragments of the 
full first-order theories that are closed under interpolation, yet are expressible 
in assertion languages present in standard programming languages. 

As future work, we plan to extend our results to interpolating SMT solvers, 
particularly aiming at procedures that can be used in model checkers based 
on the lazy abstraction with interpolants paradigm. On the theoretical side, we 
will study the relationship between the logics discussed in this paper, and ar- 
chitectures for combining interpolating procedures, e.g., [15]. We also plan to 
investigate, possibly along the lines of [17], how our interpolation procedure for 
uninterpreted functions relates to existing methods [10, 16], and how it affects the 
strength of computed interpolants. Finally, we plan to investigate a combination 
of our calculus with the Split-Prover approach in [12]. 
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A List of interpolating sequent rules 



r, Ml \- a ► / 
r, lvJl i- a ► j 
r, [0 v vj I i~ ^ ► / v J 



OR-LEFT-L 



r, |>J« h zi ► / 
r, LV>J fl h z\ ► j 

r, [4> v vj fi i~ ^ ►/a J 



OR-LEFT-R 



^ h ► J AND- 

r h L0a vJl,^ ► 7v j right-l 

r,L^j g ,Ly;j g h z\ ►/ 
r, l^avJd h z\ ►/ 

r h L0Jd,^ ► i 



r h * J AND- 



AND-LEFT 



NOT-LEFT 



r h Md, li>\ D ,A ► j 
r, L0J D h- a ►/ 



OR-RIGHT 



r, h<£Jo h z\ ► / 
* 

* 



CLOSE-LL 



CLOSE-LR 



* 

T, L0J « I" [<f>\R,A ► true 
* 



NOT-RIGHT 



CLOSE-RR 



CLOSE-RL 



r, [[x/^Jl.LVz^Jl h ^ ► J 

r, LVs.^jz, h 4 ►Vjm / 

T, |>/t#J D h z\ ► / 



ALL- 
LEFT-L 



r,[3x.<f>\ D h z\ ►/ 



EX- 
LEFT 



r, \yx.<p\ R h z\ ► 3 Lt i 
r h L[3;/ c ]0j D ,^ ►/ ALL _ 
r h Lv^j D ,/i ► / RIGHT 



ALL- 
LEFT-R 



Fig. 4. The upper frame presents all interpolating rules for propositional logic, while 
the lower frame shows the interpolating rules to handle quantifiers. Parameter D stands 
for either L or R. The quantifier denotes universal quantification over all constants 
occurring in t but not in Fl U Al; likewise, 3u denotes existential quantification over 
all constants occurring in t but not in 7^ U Ar. 
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r, [(a f V3i. (ax + t = OA<t>)\ D h Z\ ► 7 ALL _ 

r, \yx. (ax + tjL V 4>)\ D P 4 ► I LEFT-GRD 

r h [(« I t)AVx. (ax + t ^Qy<j))\ D ,A ► 7 EX _ 

r h [3x. (ax + t = Qf\4>)\ D ,A ►/ RIGHT-GRD 



* CLOSE- 

r h = [t A = 0], A ► 3^ i A # EQ-RKJHT 

r h t = o[o^o],Lt = ojfi,^ ► / IPI _ 

r h [t = 0\ R ,A ► J RIGHT 

r, i = [t A = 0] I- s + a ■ t = [s A + a ■ t A o 0], A ► / RED _ 
r,t = 0[t A = 0] h s = 0[s A oO],^ ►/ RIGHT 

r h a -t = 0[a-f A oO],Z\ ►/ MUL _ 

r h t = 0[t A oO],Z\ ►/ RIGHT 



Fig. 5. The lower frame presents an excerpt of rules for PA, while the upper frame 
shows the additional rules for the PAID+UP extension. Parameter D stands for either 
L or R. In CLOSE-*, 3la denotes existential quantification 3ci, . . . , c„., where ci, . . . , c n 
are the constants that occur in Fl,Al but not in ra,An. In red-right and MUL- 
right, o e {=,7^}- In mul- right, a > is a positive literal. Formulae in squared 
brackets such as [t A = 0] denote partial interpolants, which are required for rules mixing 
left and right parts. We refer to [3] for more details on partial interpolants. 
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B Theorem 4: PA+UP is not Closed under Interpolation 



This section proves Theorem 4, using of the following intermediate result: 

Lemma 14. Let y be a constant and S = {ctiy + Pi \ oii, Pi G Z, i € {1, . . . , n}} 
be a finite set of terms in PA. Then there exists an even number a € 2Z such 
that § g {wa/^ a (t) | t e 5}. 

Proof. Choose a €22. such that a > 2 • max 4 |/3j|. Let us suppose that, for some 
t = ay + p € 5, we have val y ^ a (ay + /?) = aa + /3 = |. Thus 2aa + 2/3 = a and 
therefore (2a — l)a = —2/3. Since 2a — 1 7^ 0, we distinguish two cases: 

• 2a — 1 > 0: this yields a contradiction because (2a — l)a > a > 2 • |/3| = 
\-2p\> -2/3. 

• 2a — 1 < 0: this yields a contradiction because (2a — l)a < — a < — 2 • |/3| = 
-\2P\ < -2p. □ 

We can now prove Theorem 4. 

Proof (Proof of Theorem 4)- We construct an example of inconsistent formulae 
A and B in PA+UP whose interpolant requires quantification. Consider: 

A = 2c - y = A p(c) B = 2d - y = A -.p(d) 

The symbols p and y are common, while c and d are local. The conjunction 
A A B is unsatisfiable. The strongest and the weakest interpolants for A and B 
are, respectively: 

I s = 3x. (2x - y = Ap(x)) I w = Vx. (2x - y = -> p(a:)) 

Now suppose / is a quantifier-free interpolant for 4 A5; in particular, / con- 
tains only the common symbols p and y. Let S 1 = {£ | p(i) occurs in /} be the 
set of all terms occurring in I as arguments of p. All elements of S are PA 
terms over the symbol y. By Lem. 14, there is an even number a <E 2Z such that 
§ g {waV»„(i) I t e 5}. 

Since J is an interpolant, the implications I s =>■ 7 and I I w hold. In par- 
ticular, observe that 

(2 I y) |= (J s o 7) A (/ . (10) 

Choose an interpretation K with if (y) = a that satisfies J (this is possible, be- 
cause such satisfying interpretations exist for I s ). Because of (10) and because 
K{y) is even, it holds that e K{p)- However, we know that I does not con- 
tain any atom p(t) such that valnit) — ■ This means that I is also satisfied 
by the interpretation K' that coincides with K, with the only exception that 
K 2^ & K'(p). But K' violates I w , contradicting the assumption that I is an 
interpolant. □ 
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C Proofs generating PAID+UP Interpolants 



We give a proof of Lem. 6, from which Thm. 5 can be derived by providing a 
PAID+UP proof procedure. In the whole section, we use rules introduced in [3]. 



C.l Proof of Lemma 6: 

Sufficient Conditions for PAID+UP Interpolants 

The only rules that introduce quantifiers in interpolants in V are (i) the rules 
CLOSE-EQ-*, CLOSE-ineq, and (ii) the rules all-left-* that are used to instan- 
tiate axiom (1). The quantifiers generated by the first kind of rules can directly 
be eliminated, because the body of the quantified expression is an arithmetic 
literal. In the second case, we consider the sub-proof Q, as described in the 
lemma. There are different scenarios depending on the values of D, E, F; for 
sake of presentation, we only consider D = L,E = R, F = L (all other cases are 
similar): 



CLOSE-EQ- RIGHT 

► Ki 

RED-RIGHT*, MUL- RIGHT* 



h |s«-<i = 0_U,... ► Ki 



► Ki 

IPI-RIGHT 



r', [p(s)\ L h \s - i = 0\ L , Lp(*)J r, A' ► V, Ki 



AND-RIGHT 



2 



It is possible that Q contains further applications of red-right, MUL-RIGHT, 
IPI-RIGHT, or AND-RIGHT- L in between the steps shown, but this has no ef- 
fect on the shape of the intcrpolant \J i Ki (apart from some disjunct Ki pos- 
sibly occurring multiple times). The rule CLOSE-eq-right generates the inter- 
polant Ki = (3 la Ui ^ 0). A careful analysis of the calculus shows that the quan- 
tifier 3la is in fact empty, i.e., Ki = (uj ^ 0) and J 2 = Ki) = Ui 0). 

We need to analyse the shape of the interpolant 

Jb = V fl gf J 4 = V flt -J 4 = y R i ( Ji V p(t)) (11) 
= Vflf ^yui^OVp(t)^ - Vx u ...,x n . (\J u i? 0Vp(t)^ 

where x\, . . . , x n are all constants in t that are i?-local in the sequent 

r',[p(s)\ L h [s-i=0\ L ,{p(t)\ R ,A' . 

Using vector notation for x = (xi, . . . , i„)', the atom p(t) can be represented as 
p{c\X + «!,..., CfeX + v k ), where c 1; . . . , c„ eZ" are row vectors of coefficients, 
and v\, . . . , Vk are terms that do not contain any of the constants x\, . . . , x n . In 
matrix notation, this gives p(t) = p(Cx + v) for C = (c\ ■ ■ ■ c£)* G Z kxn . 

Because i?-local, we know that these constants do not occur in 

any partial interpolant in J", [p(s)Jl l~ [s — t ^ 0\l, \j)(J)\r,A' . This implies 
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that the term —CiX in the partial interpolant of Si — U = [sj — £ j = 0] will not be 
affected by any application of red-right; likewise, applications of MUL-RIGHT 
can only introduce scaling by some factor a. It is therefore possible to represent 
the final partial interpolant m = in the form ac-iX + u\ = 0, where a e Z \ {0} 
and m- does not contain any of the constants x\, . . . , x n . This means that 

\J m f = -i /\ + u'i = = aCi + v! £ 

z i 

We now consider the Smith decomposition [18] of the matrix C, i.e., the 
decomposition C = LSR into three integer matrices, such that (i) L e Z kxk and 
R e Z" xn arc invertible (over integers), (ii) S has the shape 

Mo 0\ 

& '•• : 

'•■ & 
: 0: 

\o oj 

where r < min{fc, n} and 0i,...,/3 r are positive integers such that (3 i+1 <E ${L 
for alH e {1, . . . ,r - 1}. 

The interpolant J 5 in (11) can then be rewritten to form (2) as follows: 

J 5 = Vx. (aCx + u' £ V p(Cz + u)) 

= VS. (aLSRx + u' # V p(LS*i?5 + w)) 
= Vy. (aLSy + v! f V + u)) 

= Vy. (aSy + L _ V f V p(LSy + v)) 
= Vyi. (a^iyi + (i _1 u')i 5* v 
Vy 2 - (ttte + (^V) 2 ^0V 

Vy r . (a/3 r y r + {L~H') T £ V p(LSy + «))■■■) 

fe 

i—r+l 

where y = (j/i, . . . , y„)* is a vector of fresh variables, and (L~ 1 u') i denotes the 
zth element of the vector L~ x v! of terms. Note that the variables y r +i, . . . ,y n 
only occur with coefficient zero in the expression Sy, and therefore do not have 
to be quantified. This shows that J 5 is equivalent to a PAID+UP formula and 
concludes the proof. 
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C.2 Proof of Theorem 5: 

Completeness of the PAID+UP Calculus 



We describe a proof procedure that, given a sequent r h A ► ? such that 
Fl-, rR l~ zi l i is valid, generates a proof satisfying the conditions in Lem. 6. 
The following reasoning steps are performed: 

1. Apply rules or-*, and-*, not-*, ex-left, all-right, all-left-grd, ex- 
right-GRD, Div-*, ipi-*, split-* exhaustively; move all inequalities to the 
antecedent. This will eliminate all propositional connectives and quantifiers 
in formulae, what remains are proof goals of the form 



where I,J,K,M are disjoint sets of indexes. 
2. Apply rules red-left, col-red-*, mul-left to solve the equalities in the 
antecedents, as described in [19]. This either leads to an unsatisfiable equal- 
ity, in which case the rule CLOSE-EQ-LEFT can be applied, or to goals of the 
form 



where /, J, K, M are disjoint sets of indexes, ctj £ Z \ {0} divides all coeffi- 
cients and constant terms in Sj, the constants Cj are pairwise distinct, and no 
Cj occurs in any term ij or Sji . In particular, this means that the equalities 
{(XjCj + Sj = 0}j £ j are satisfiable. 

3. Whenever a sequent contains literals Pk(uk) and p m {u m ) such that pk = p m , 
and such that Uk = u. m is implied by the equalities {ctjCj + Sj = 0} je j, in- 
stantiate the consistency axiom (1) for Pk(uk) and Pm{u m ), and close the 
resulting sub-proofs as shown in Lem. 6 (i) and in the beginning of Sect. C.l. 

4. Apply strengthen in a fair manner to the inequalities in the antecedents. 
Whenever a new equation is generated by a strengthen application, go 
back to step 2. Whenever a sequent has been derived in which the inequalities 
in the antecedent are rationally inconsistent, apply FM-ELIM exhaustively, 
and apply CLOSE-ineq to a resulting contradictory inequality. 

This procedure will in finitely many steps construct a closed proof tree for 
the valid PAID+UP sequent r h A; by construction, the proof satisfies the 
conditions in Lem. 6 (i). 

Two steps in the procedure require further considerations: 

— Termination of the loop 2-4-: it has to be shown that systematic application 
of strengthen terminates: on every branch of the generated proof, even- 
tually a sequent is reached in which no inequalities remain, or in which the 



{*i<0[^<0]} i6J ,{ aj -= 0(^ = 0]}^ 



I" {[Pm(u m )\D m }meM ►? 



{[Pk(Uk)\D k }keK 



{ti<0[tf<0]} ieI , 
{ajCj + sj = [sf = 0]} je j, h {\jp m {u m )\ Dm } meM ► ? 
{[p k (u k )\D k }keK 



(12) 
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remaining inequalities are rationally inconsistent. Recall that every appli- 
cation of strengthen produces three new goals: one in which an inequal- 
ity U < has been turned into an equality ij = (case (a)), and two in which 
an inequality U < has been strengthened to U + 1 < (case (b)). 
Reasoning by contradiction, assume that the procedure never terminates on 
some branch. This means that, from some point on, we are always looking 
at the (b) case on the branch, and that the number of inequalities on the 
branch remains constant and non-zero. 

Note that we can assume that each sequent (12) considered in step 4 is 
valid (ignoring interpolant annotations, which are not relevant at this point); 
equivalently, the following formula is unsatisfiable: 

f\ U < A f\ ctjCj + Sj = A f\ u k u m 

iei je.J keK,meM 

By rewriting the negated equalities using the equalities cejCj + Sj = 0, elim- 
inating every occurrence of a constant Cj, we obtain a new unsatisfiable 
conjunction without positive equalities: 

f\ U < A /\ u' fc f u' m 

iei keK,meM 

Because step 3 has not been able to close the goal at hand, we can assume 
that each disjunction u' k — u' m ^ contains at least one equality that is not 
of the form ^ 0; we denote this equality with Vk, m ^ 0. We then know that 
also the following formula is unsatisfiable: 

f\U<0 A f\ v k , m £ 

iei keK,meM 

This corresponds to (the negation of) formula (15) in Lem. 15, which tells 
us that there is an r € K, and therefore also a /3 e Z, such that the following 
formula is even rationally unsatisfiable: 

A *i + p < 

iei 

Because fair application of strengthen will eventually turn every inequal- 
ity U < into an inequality ti + fa < such that fa > fa it is guaranteed that 
the inequalities in the antecedent eventually become rationally unsatisfiable. 
This contradicts the assumption that the procedure does not terminate on 
the considered branch. 
— Existence of a complementary pair in step 3: we have to show that a com- 
plementary pair of literals can be selected in step 3 once all inequalities have 
been eliminated from a sequent (in step 4). By assumption, we know that 
the sequents considered in step 3 are valid (again ignoring interpolants). 
Inequalities-less sequents of the form produced in step 2 are valid iff the 
sequent 

{oLjC 3 + Sj = 0}jeJ I" {uk = u m } keKtrneM (13) 
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is valid. 

We reason by contradiction: suppose that each conjunction u k = u m of equal- 
ities contains one equation that is not implied by {cj + Sj/aj = 0} je j; we 
assume w.l.o.g. that this is always the first equation u\ = u^. This means 
that the sequents 

{ajCj + sj = 0} je j I- u\ = u x m 

cannot be proven using the rules RED-RIGHT and mul-right to reduce equal- 
ities in the succedent, and the rule CLOSE- '"-right to detect valid equalities. 
Consequently the rules are not sufficient to prove the sequent 

{ajc-j + sj = 0} jeJ h {u\ = v} m } keK , meM 

either. By completeness results in [20] , this implies that the sequent is invalid. 
But then also (13) is invalid, contradicting the assumption. 
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D Integer Projection Lemma 

Let {vi, . . . , v n } be a fixed set of variables. For any term t, we introduce the 
function t: R n — » R defined by t{x\, . . . ,x n ) = [v\/x\,... ,v n /x n ]t. 

Lemma 15. Let {t 1 ,..., t m } be a set of terms of the form P ' = eg + Ym=i 4 v i> 
and {s 1 , . . . , s p } be a set of non-null terms of the form s k = d$ + X)"=i ^i v ir *- e - 
for each k, there exists an i with d\ ^ 0. Suppose the following formula is valid: 

Vr e R 3yi, . . . ,y n € R Vj e {1, . . . , m} : . . . , y n ) < r . (14) 

T/ien ifte following formula is valid: 

3z 1} ...,z n e Z ( Vj G {l,...,m} :^(zi,...,z„) < (15) 
A Vfce {l,...,p} :^(zi,...,z„) ^0 ). 

Before we can prove this lemma, we need a few definitions and auxiliary prop- 
erties. Define the function / : R — > R via 

/(si, . . . , x„) = max^ f'^i) • • • , x„) . 

We also define ||C|| = Y^i=i Y^ijLi \4 l> the 1-norm of the coefficient matrix 
induced by the P . 

Property 16. For real numbers a, b, e, max{a + e, b} < max{a, b} + \e\ . 
Proof: 

(i) If e > 0, then a + e < max{a, b} + e, and b < b + e < max{a, b} + e. 
Thus max{a + s,b} < max{a, b} + e < max{a, b} + |e|. 

(ii) If e < 0, then let S = — e > 0. Using (i) with 5 in place of e, we obtain: 
max{a + e, b} < max{a + S, b} < max{a, b} + S = max{a, b} + \e\. 

Property 17. Given yi,. . . ,y n € R, define Zi := [yi\ e Z for i e {1, . . . , n}, where 
[■J denotes the floor of a real number. Then f(zi, . . . , z n ) < f(yi, ■ . ■ , y n ) + \ 

Proof: f(z 1 ,...,z n ) = max^ =1 P(zi, . . . , z n ) 

= max™! \c> + J24(y* + z *- Vi) 



= max™! + 4vi + ( z * " f<) J 

(*) / ™ \ m n 

< max™! I eg + ^ c?'»i I + 2 ^ " »*) 

V i=l / j=l i=l 

V v ' 

m n 

< f(yi,---,y n ) +^2^2\4\ ■ \ z i-Vi\ 

3 = 1 »=1 

( *< y n ) +I|C||, 

where (*) applies property 16 (m times), and (**) uses |2» — = ||_2/»J — y%\ < 1- 
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Proof of Lemma 15: Let r = -(p 2 + 1) • ||C||. By (14), there exist yi, . . . , y n e 
K such that f(yi, . ■ ■ , y n ) < r. For 1 < i < n, define = |_2/»J € Z. Our 
final solutions Zi will have the form z,- L = + hi. We obtain suitable hi £ Z 
by examining the condition that the functions s fc must not evaluate to 0. The 
condition involving the tj will then be satisfied due to our choice of r above. 

To this end, we prove that there exist integers hi,...,h n € Z> such that: 



(i) for all k e {1,. . . ,p}, s k (g 1 +h 1 ,...,g n + h n ) ^ 0, and 

(ii) for alH e {1, . . . , n}, hi < p 2 . 



The proof is by induction on p: 



— For p = 0, the claim holds trivially with hi = for all i. 

— Suppose the claim holds for p— 1. That is, we have for all k e {1, . . . ,p— 1}, 
s k (gi + hi, . . . , 3„ + h n ) ^ 0, and hi < (p - l) 2 for all i. 

If s'P(gi + hi, . . . ,g n + h n ) ^ 0, we can choose the same numbers hi,...,h n . 

If s p (gi +hi, . . . , g n +h n ) = 0, let io be such that io ^ and c?^ o 7^ 0, i.e. d% is 
a non-zero coefficient of a variable in s p . Such an index exists since s p is non- 
null and sP(gi + hi, . . . , g n + h n ) = implies that s p cannot be the constant 
term d^. We can now replace the argument g i(l + h io by g io +h io + l, in which 
case s p will evaluate to d p , which is non-zero, as desired. The problem is 
that this replacement may nullify a function s k ° with k < p. Note that 
this is only possible if d k ° 7^ 0, i.e. s k ° must have a non-zero coefficient at 
the same position io as s p . To re-enforce that Sk evaluates to non-zero, we 
replace gi + hi + 1 by gi a + hi + 2. This replacement does not nullify s p 
again, as the following argument shows: For fee {1, . . . ,p), i e {1, . . . , n}, 
integers ai,...,a n and feeZ: 

sjt(ai, . . . ,aj_i,Oi + h,a i+ i, . . . ,a n ) = s^(ai, . . . , a n ) + d\ ■ h . 

In particular, if 5fe(ai, . . . , a n ) — and d\ ^ 0, then replacing the argument 
cii by any larger integer results in a non-zero value of sit". Thus, to complete 
the inductive step, we increase gi Q + hi until none of the functions s/T evalu- 
ates to 0. Since there are p such functions, this requires at most p increases 

(IH) 

(of magnitude 1), thus h io < (p—l) 2 +p<p 2 - Note that values hi with 
i 7^ io are not affected; here we simply have hi < (p — l) 2 < p 2 . 
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This concludes the inductive proof. What remains to show is that, with Zi := 
Qi + hi for all i, we have f(zi, . . . , z n ) < 0: 



f{zi,...,z n ) = maxf =1 ^ + ^24(9i + hi)j 

0) / n \ m 

< ma^i U+Ew +E 

V i=l / j=l 



E^ 



m n 



< f(9l,--.,9n) + EE 

f(gi,---,g n ) +i 2 -\\c\\ 

( < (/(»!,...,»„) + ||C||) +P 2 -||C|| 

(***) 

< (r + ||q|) +p 2 -\\c\\ 
= o, 

where (*) applies property 16 (m times), (**) applies property 17, and (* * *) is by 
the choice of r. 



E Proofs generating PAID+UF Interpolants 

E.l Proof of Lemma 12: 

Sufficient Conditions for PAID+UF p Interpolants 

The reasoning is similar as for Lem. 6 in Sect. C.l. Consider a sub-proof of V of 
the form shown in Lem. 12. We only consider the case D = L,E = R,F = R, 
as the other cases are similar. The interpolant generated by the sub-proof is 

•h = ^Ls 1 t 1 S 2 t 2 <h = 3x,a ltl J 5 = 3 L g ltl (J3 A f p (si,ti) A J4) 

By definition of PAID+UF p , we know that t\ is a Skolem constant. If t\ is L- 
local at this point in the proof (the quantifier 3^ tl does not disappear), then it 
is L- local also in Q, which means that t\ does not occur in the interpolant J 3 . 
This implies: 

J& = ■■■ = 3 L5l (J 3 A 3 Ltl (f p (s\,ti) A Jij) 

Furthermore, observe that the constants quantified by 3l Si are L-local in 1Z, 
so that none of them occurs in J4. As in the proof of Lem. 6, the expres- 
sion 3ls! (J3 A • • • ) can then be transformed to a sequence of guarded quan- 
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tificrs: 

J 6 = 3 Vl . [afcyi + {L- 1 u') 1 = A 
3y 2 - (a/322/2 + (£~V) 2 = A 

3y r . (a^ r y r + (L-^Or = A 3 Ltl (f p (LSy + v, h) A J 4 )) • • • ) 
A /\ (L^u'Ji^O 

i=r+l 

To conclude the proof, we have to consider two cases: 

— t\ is L- local and the quantifier 3 Ftl does not disappear: then we are finished, 
because it has been shown that J 6 is equivalent to a PAID+UFp formula. 

— 3^ tl disappears: in this case, we can rewrite the formula f p (LSy + v, t\) A J4 
to 3z. (f p (LSy + v, z) A t x = z A J 4 ), which is in PAID+UF p . 

E.2 Proof of Theorem 10: 

Closure of PAID+UF under Interpolation 

Most importantly, we can first observe that a completeness result similar to 
Thm. 5 also holds for PAID+UFp (given in the next lemma). Theorem 10 then 
follows as a simple implication, because PAID+UF formulae can be translated 
to PAID+UFp, interpolated, and the interpolant translated back to PAID+UF. 

Lemma 18 (Completeness). Suppose that A Re i, Bjt e i, {FCf}f e F A uF B ^ «s 
valid. Then there is a formula I such that (i) the sequent 

[A Rel \ L ,[B Rel \ R ,{[FC f \ L } feFA ,{[FC f \ R } feFB h ►/ (16) 

is provable in the calculus of Sect. 3.1, enriched with the rules ALL-LEFT-GRD 
and ex-right-GRD, and (ii) I is a PAID+UF p formula up to normalisation of 
guards in expressions (2). 

Proof. Given a sequent such that A Re i, B Re i, {FCf} feF A uF B b is valid, we can 
construct a proof of (16) satisfying the conditions in Lcm. 12 using a procedure 
similar to the one in Sect. C.2. Lem. 12 then guarantees that the interpolant I 
is in PAID+UFp up to guard normalisation. 

In the procedure of Sect. C.2, only step 3 has to be changed to obtain an 
algorithm for PAID+UFp: instead of searching for complementary literals Pk(uk) 
and Pm(u m ), in the PAID+UFp case we have to check for literals f p {s~i, t\) and 
/p(s 2 , £ 2 ) such that s\ = §2 is implied by the equalities in the antecedent. If such 
a pair has been detected, the consistency axiom FCf can be instantiated, closing 
the first three premises as dictated by Lem. 12. For the fourth premise, the proof 
procedure can go back to step 2 and continue proving. To ensure termination of 
the overall procedure, it only has to be guaranteed that the axiom FCf is not 
repeatedly instantiated on the same branch for the same pair of literals f p (s~i,ti) 
and f p (s 2 ,t 2 ). a 
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